The Wannacry ransomware attack made 2017 one of the worst years for cybersecurity in recent memory, incapacitating hundreds of thousands of computers in 150 countries and causing billions of dollars in financial losses. There was also a silver lining: Suddenly, senior business executives and boards of directors began asking detailed questions about how much cyber risk their organizations faced and what the impact of a successful cyber attack would look like for their businesses. This put a premium on learning how to communicate cyber risk.
For some Chief Information Security Officers (CISOs), this may have seemed like a recipe for more paperwork rather than something to celebrate. What it really was, however, was an opportunity to change the conversation. With the right technology in place, CISOs can now communicate the impact of cyber events in terms of financial and operational risk to the business and command a conversation around resource prioritization, right sizing of budgets, and risk transference through insurance, among other things.
The Rosetta Stone that translates the technical nature of security into the language of the business is here – cyber risk quantification. By quantifying cyber risk, CISOs have the ability to speak the language of business.
“Successfully presenting cybersecurity concerns to the board requires the ability to weave a narrative around what is occurring in the broader cybersecurity industry, how attackers are affecting industry peers, and using metrics, financial impact and enterprise maturity to show how cybersecurity events will affect the enterprise,” wrote Jack Freund, in a new ISACA white paper, Reporting Cybersecurity Risk to the Board of Directors.
Freund is currently the Head of Cyber Risk Methodology at VisibleRisk and is the co-author of “Measuring and Managing Information Risk: A FAIR Approach,” which has become a global standard.
Know Your Business to Communicate Cyber Risk
Presenting cybersecurity risk to senior business leaders requires translation to bridge the gap in language and understanding. To do this, however, requires the CISO to ensure he or she understands their company and its business.
“You need to understand what your business does. That is the way that you gain access to upper executives and board members,” said Jack Freund, in a new interview on the ThreatConnect Podcast (Ep. 5: Jack Freund on Cyber Risk Quantification & The FAIR Standard). “I think the way to do that is through understanding what corporate strategy looks like. And then, connecting all the cyber things that we care about on a day-to-day basis and our general blocking and tackling of attackers and missing patches, non-compliant controls. We have to connect those things at the bottom to those things at the top. And doing that requires thinking about scenarios in a progressively more detailed way.”
Understanding the business starts with understanding its strategic goals. Most often, those goals will be related to revenue, profit, product development, added revenue streams, gaining market share, cross-selling more products, and many other objectives.
Once you have this Northstar understanding of what matters most to the business, you can then effectively communicate risk, according to Freund. “If you go to the board [and say] ‘we need to increase our endpoint security because we’re really worried about increasing ransomware attacks and … if we experience something like that, we’re going to have a really hard time hitting these strategic goals that we plan for the organization,’ you have their attention,” he said.
These risk scenarios can be quantified in a way that the board can understand. A board that understands the risk, threat, response paradigm is better equipped to understand prioritization and resource allocation. By leveraging cyber risk quantification (CRQ), a threat intelligence platform (TIP) and an intelligence-led security orchestration, automation and response (SOAR) platform, CISOs can more easily demonstrate what risks they are prioritizing, the actions they are taking to mitigate those risks and the outcomes associated with those actions.
“These are meaningful conversations to businesses,” Freund said.
And let’s be clear — as security professionals, we are definitely in the business of protecting the business.